Wednesday, February 28, 2018

CSE wins big in 2018 budget

The 2018 budget, tabled by the Finance Minister on February 27th, promises some big spending boosts for the Communications Security Establishment over the next five years, with additional money pledged for both the IT Security and the SIGINT programs.

For starters, the government is promising to spend $507.7 million over the next five years, and $108.8 million per year thereafter, to fund a new National Cyber Security Strategy (NCSS). $155.2 million of that sum, and $44.5 million per year ongoing, will be provided to CSE to create a new Canadian Centre for Cyber Security (see pages 203-205):

By consolidating operational cyber expertise from across the federal government under one roof, the new Canadian Centre for Cyber Security will establish a single, unified Government of Canada source of unique expert advice, guidance, services and support on cyber security operational matters, providing Canadian citizens and businesses with a clear and trusted place to turn to for cyber security advice. In order to establish the Canadian Centre for Cyber Security, the Government will introduce legislation to allow various Government cyber security functions to consolidate into the new Centre. Federal responsibility to investigate potential criminal activities will remain with the RCMP.

To carry out its responsibilities, the RCMP will get a new National Cybercrime Coordination Unit funded to the tune of $116.0 million over five years, and $23.2 million per year after that.

The rest of the NCSS money, $236.5 million over five years and $41.2 million per year after that, will go "to further support Canada’s new National Cyber Security Strategy." At the moment, however, it appears that none of that additional money will flow CSE's way.

Even more money will be provided to "modernize/enhance the Government’s digital services" (see page 206): "$2.2 billion over six years, starting in 2018–19, with $349.8 million per year thereafter, [will be spent] to improve the management and provision of IT services and infrastructure within the Government of Canada, and to support related cyber security measures." Most of that cash will be going to Shared Services Canada, but an unspecified portion of it is promised to CSE.

[Update 28 February 2018: According to the Defence Minister's office, CSE will receive a total of $16 million over six years from this funding.]

Meanwhile, new money is also promised to the SIGINT program (see page 208): "In order to keep pace with rapid technological change that can challenge its ability to effectively collect foreign signals intelligence, the Government proposes to provide the Communications Security Establishment $225 million over four years, starting in 2020–21, and $62.1 million ongoing, to ensure this capability is preserved."

If these promised budget boosts are fully implemented, the new IT Security and SIGINT money will eventually total an extra $106.6 million a year for CSE, plus whatever money comes from the digital services initiative and any additional National Cyber Security Strategy money that ends up in CSE's coffers. [The information I received from the Minister's office indicates that these amounts will be minimal.] If no other changes are made to CSE's budget in the interim, this would represent an increase about 18%—large, but not quite of the scale of the increase (25%) the agency received in the immediate wake of 9/11.

Even at 18%, it is likely that the new funding will mean significant new growth in CSE's staff. Currently at about 2300 employees, the agency could eventually grow to 2700 or even more, although it is possible that a significant number of those bodies might end up working for contractors instead and thus wouldn't appear on the employee rolls. The SIGINT side alone could easily expand by 300 people, which would enable development of a significant Computer Network Attack capability as well as support growth of more traditional intelligence-gathering activities.

These are pretty big numbers.

For now, however, most of the money exists only in the political fantasyland of distant budget-year promises. We probably won't even know what all of this means for the fiscal year about to start until the 2018-19 Main Estimates are released, which, according to this new thing called Interim Estimates, could be as late as mid-April. Stay tuned for that.

The government's decision to dedicate significant additional resources to national cyber security and to concentrate that effort in one organization, much as the British and some of our other allies have done, is a good one, I think. As to whether it will be sufficient to address the threat, I have no idea. I assume we'll get some more details of what precisely is proposed whenever the National Cyber Security Strategy itself is released.

I'm undecided on the question of whether CSE should be the agency where the national cyber security effort is concentrated. CSE certainly has most of the expertise on this subject now, and to the extent that cyber security draws on intelligence-gathering efforts to detect, attribute, and counter such activities its involvement may be essential. But CSE's other mandates also pull it in the opposite direction, away for example from initiatives that might have the effect of making cyberspace as a whole a more secure place.

The fact that the same budget is promising to boost the SIGINT program—so as to preserve and/or increase Canada's ability to conduct its own Computer Network Exploitation and Attack operations—throws this whole aspect into rather stark relief. Intelligence-gathering is certainly valuable. The net benefits of CNA I'm less convinced about.

But as to whether those various imperatives are best balanced within a single agency or among two or even three agencies at the Cabinet/PCO level is, I think, a serious question that we seem at the moment to be answering by default.